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“Quantity  has  a  quality  all  its  own” 
-apocryphally  attributed  to  Josef  Stalin,  discussing  Russian  weapons 

production  in  WWII 

The  US  Air  Force  defines  “mass”  as  “to  concentrate  the  effects  of  combat  power 
at  the  most  advantageous  place  and  time  to  achieve  decisive  results”1;  Air 
Force  Doctrine  Document  (AFDD)  3-12  echoes  this  definition  while  noting  that 
cyber  forces  “[m]ust  integrate  and  synchronize  with  other  forces”2.  But  what 
does  this  mean  for  strategy  in  the  cyber  domain?  Some  have  suggested  that  the 
concept  of  mass  no  longer  applies  in  cyberspace,  and  that  a  handful  of 
attackers  could  launch  devastating  attacks  from  anywhere  in  the  world3.  Col 
Gregory  Rattray,  (USAF-Ret),  in  “Strategic  Warfare  in  Cyberspace”  discusses 
the  support  functions,  such  as  network  intelligence,  targeting,  and  tool 
development,  that  can  make  cyber  attacks  more  effective.  This  suggests 
another  perspective  on  mass-  one  including  not  just  the  “tooth”  of  operators 
attacking  targets,  but  also  the  “tail”  required  to  put  together  a  team  capable  of 
consistently  launching  successful  attacks  (since  he  suggests  the  analysts  and 
programmers  might  need  to  significantly  outnumber  the  people  actually 
carrying  out  attacks)4.  This  is  a  significant  difference,  and  an  important 
question  to  resolve,  but  personnel  issues  are  not  the  only  way  to  understand 
mass  in  cyber  war. 

Mass  can  also  be  thought  of  in  terms  of  the  volume  of  attack  traffic-  at  the 
simplest  level,  in  terms  of  the  number  of  bits  or  packets  passing  into  the  target. 
At  other  times  a  more  meaningful  definition  of  volume  might  be  the  number  of 
viruses  being  released  simultaneously,  typically  from  the  perspective  of  the 
firewalls  and  antivirus  tools  that  will  try  to  block  the  malware.  What  attackers 
or  researchers  consider  one  virus  might  use  self-modifying  code  to  appear  as 
hundreds  of  different  viruses  to  the  filters  it  tries  to  sneak  through. 
Alternatively,  the  number  of  nodes  under  attack  could  be  a  worthwhile 
definition  of  volume  -at  the  lowest  level,  the  number  of  devices  being  attacked; 
at  a  higher  level,  the  number  of  network  domains  or  physical  sites  (i.e.  bases) 
under  attack.  This  is  an  oversimplification,  but  these  different  aspects  of 
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“volume”  can  be  thought  of  as  a  cyberspace  version  of  firepower.  A  third  way 
mass  can  be  understood  in  cyber  war  is  in  terms  of  the  robustness  or 
survivability  of  networks  being  defended.  A  network  with  lots  of  spare  devices, 
bandwidth,  and  redundant  paths  will  be  more  survivable,  or  at  least  able  to 
recover  more  quickly,  against  a  variety  of  attacks.  Likewise,  the  number  and 
skill  of  the  technicians  maintaining  and  defending  the  networks  under  attack  is 
an  often-overlooked  way  to  consider  mass.  Finally,  most  countries  will  be  more 
constrained  in  peacetime  cyber  actions  than  when  launching  wartime  cyber 
attacks,  so  mass  may  not  take  on  as  many  aspects  in  peacetime  covert  actions 
as  in  open  cyber  war. 

Since  many  readers  may  not  be  familiar  with  how  firewalls  and  antivirus 
software  protect  networks,  here’s  a  quick  explanation.  Typically  a  firewall  scans 
the  traffic  entering  or  leaving  a  local  network,  while  antivirus  software  scans 
the  hard  drive  of  a  specific  computer.  There  are  exceptions  like  Network-based 
Intrusion  Detection  Systems  or  router  Access  Control  List  filters,  but  the 
majority  of  the  devices  protecting  a  network  are  firewalls  or  traditional 
antivirus-  and  most  alternative  tools  use  similar  rules  for  their  scans  and 
filters5.  There  are  two  primary  ways  they  scan  for  viruses,  signatures  and 
heuristics.  The  most  common  way  a  network’s  defenses  search  out  malware  is 
by  checking  signatures,  usually  just  matching  part  or  all  of  a  file,  or  network 
packet,  against  a  list  of  known  malware.  This  can  be  fairly  effective  against 
known  attacks,  but  it  obviously  fails  to  detect  most  new  attacks,  and  it  often 
fails  to  catch  known  attacks  that  have  received  even  minor  changes6. 

The  other  way  network  defenses  find  malware  is  by  using  “heuristics”-  rather 
than  looking  for  specific  text  or  files  that  are  known  to  be  malicious,  they  look 
for  suspicious  patterns  or  behavior.  This  is  more  effective,  though  not  perfect, 
at  catching  new  (“zero-day”)  attacks  and  much  better  at  catching  new 
variations  of  old  attacks;  however,  most  heuristic  algorithms  have  high  false 
positive  rates.  Because  they  frequently  flag  or  block  legitimate  traffic  and 
applications  more  often  than  actual  attacks,  they  can  be  extremely  time¬ 
intensive  and  frustrating  to  operate.  These  filters  face  statistical  problems 
similar  to  some  cancer  screenings7-  since  the  vast  majority  of  network  traffic 
isn’t  malicious,  flagging  95%  of  viruses  and  1%  of  legitimate  traffic  will  result  in 
more  false  positives  than  actual  viruses8.  Many  commercial  products  use  a 
combination  of  both  approaches,  and  security  researchers  are  working  on 
several  alternative  ways  to  detect  attacks,  but  today  all  but  the  most  important 
and  secure  networks  tend  to  rely  heavily  on  signature-based  detection,  since 
lack  of  resources  makes  other  methods  infeasible9.  As  a  result,  on  many  large 


military  or  industrial  networks  new  attacks  will  not  be  detected  until  it’s  too 
late  and  they  have  already  overrun  the  network. 

Because  of  these  limitations,  in  the  current  state  of  cyberspace  an  attack’s 
effects  are  not  always  proportional  to  its  sophistication.  The  size,  complexity, 
defenses,  and  interconnectedness  of  the  target  determine  how  sophisticated  an 
attack  must  be  to  succeed.  An  attacker’s  political  constraints,  such  as 
requiring  stealth  and  non-attribution— or  false  attribution — often  increase  the 
level  of  sophistication  required,  as  well  as  the  workload  for  the  attackers. 
However,  because  those  factors  vary  between  major  military  and  infrastructure 
targets,  some  critical  targets  are  nearly  impossible  to  secure  without  crippling 
their  functionality,  while  others— especially  smaller  targets— even  if  less  critical, 
may  require  highly  sophisticated  attacks.  DoS  attacks  can  often  afford  to  be 
less  sophisticated  than  espionage  attempts;  large,  geographically-distributed, 
multi-node  networks  offer  more  opportunities  to  slip  an  attack  in  and  make  the 
job  of  monitoring  defenses  much  harder;  Commercial  Off-The-Shelf  (COTS)- 
based  hardware  and  software  can  be  attacked  with  standard  training  and  tools, 
whereas  the  specialized  systems  often  found  in  intelligence,  nuclear,  or 
infrastructure  settings  may  require  extensive  reconnaissance  and  custom-built 
attacks10. 

Although  his  work  makes  some  highly  questionable  assumptions,  Thomas 
Rid11  is  correct  in  noting  that  stealthy,  highly  targeted,  “strategic”  attacks  like 
Stuxnet12  require  significant  resources  to  assemble  and  are  not  easily  reused; 
this  type  of  attack  requires  dozens  of  intelligence  analysts,  programmers,  and 
operators  to  design,  assemble,  and  launch.  While  different  groups  may 
combine  some  or  all  of  those  functions  in  the  training  an  individual  cyber 
warrior  receives,  this  type  of  attack  against  a  highly  defended  target  will  still 
require  months  of  work  from  dozens  of  highly- trained  people.  To  the  extent  that 
a  cyber  campaign  seeks  to  quickly  corrupt  or  disable  large  numbers  of 
hardened,  stand-alone  targets,  it  will  clearly  require  significant  investments, 
and  those  investments  rise  if  stealth  or  non-attribution  is  needed-  particularly 
since  the  teams  working  on  the  stand-alone  targets  will  be  unavailable  for 
“routine”  cyber  intelligence  work,  which  will  presumably  still  be  needed. 

However,  there  are  also  many  cyberspace  targets  that  are  less  robustly 
defended,  and  some  of  them  can  be  high-value  targets.  Although  nuclear 
facilities  like  the  ones  targeted  by  Stuxnet  are  likely  to  remain  “air-gapped”  and 
carefully  defended,  many  military  and  industrial  systems  require  much  broader 
access  to  be  effective.  Power  grids,  for  example,  cannot  function  efficiently 


unless  the  individual  power  stations  are  constantly  communicating  with  each 
other.  They  may  not  be  “online”  in  the  sense  of  sending  unencrypted  traffic 
directly  over  the  Internet,  but  that  interconnection  can  still  be  used  to  control, 
degrade,  or  destroy  the  entire  grid  with  a  single  attack-  although  it  must  be 
noted  that  in  large  countries  like  the  US  or  Russia,  “the  power  grid”  is  actually 
a  set  of  loosely  coupled  regional  grids;  for  example,  the  US  has  3  regional 
grids13,  and  Russia,  though  more  centralized  than  the  US,  has  7  regions  with 
limited  interconnections14  .  Many  military  networks  face  the  same  situation- 
they  must  link  a  large  number  of  units  and  bases  to  provide  the  force 
multiplier  effects  all  modern  militaries  rely  on,  which  makes  it  very  difficult  to 
keep  sophisticated  attacks  from  spreading  once  they  compromise  one  node  on 
the  network. 

In  this  environment,  the  second  definition  of  mass  is  probably  a  better  way  to 
understand  it.  Some  targets  are  vulnerable  to  attacks  that  can  be  created  by  a 
single  team  and  then  launched  against  the  entire  network,  and  if  successful, 
can  severely  hamper  an  entire  region.  Linked  utilities  are  one  example, 
particularly  power  grids,  which  tend  to  be  larger,  more  interdependent 
networks  than  other  utility  networks;  another  might  be  the  military  networks 
used  for  C2,  logistics,  and  operational  situational  awareness.  These  functions 
are  needed  at  the  tactical  or  operational  level,  and  therefore  typically  require  a 
network  shared  across  a  large  number  of  critical  nodes.  At  the  extremely 
simple  end  of  the  spectrum  of  possible  cyber  attacks,  mass  in  a  Distributed 
Denial  of  Service  (DDoS)  attack  is  simply  the  amount  of  bandwidth  used  to  try 
to  overwhelm  the  target  network.  As  we  progress  up  the  spectrum,  if  an  attack 
uses  effective  self-modifying  code,  the  defender  may  need  to  block  not  one  but 
hundreds  or  thousands  of  new  virus  signatures  at  dozens  to  thousands  of 
network  perimeters  (each  firewall  protecting  the  local  area  or  network  must  be 
updated  with  all  the  relevant  virus  signatures  to  block).  In  some  cases,  the 
number  of  “exploits”  viruses  are  using  might  be  more  relevant  than  how  a  virus 
mutates  to  sneak  through  filters-  an  exploit  is  the  malicious  code  that  uses  an 
error  in  a  target’s  software  to  take  control  of  the  system;  when  more 
vulnerabilities  are  exploited,  the  virus  is  more  likely  to  succeed15.  Most  military 
networks  have  technicians  who  spend  enormous  amounts  of  time  trying  to 
patch  known  vulnerabilities  before  an  attack  takes  advantage  of  them,  knowing 
that  firewalls  and  antivirus  don’t  stop  all  attacks.  An  attack  that  only  uses  one 
exploit  will  fail  if  the  corresponding  vulnerability  is  thoroughly  patched  on  its 
target;  while  patching  quickly  and  thoroughly  is  a  very  hard  problem16,  there 
are  tools  that  enable  large  modern  networks  to  patch  most  systems  in  a  matter 
of  days.17  If  an  attack  uses  more  than  one  exploit,  it  increases  the  challenge 


defenders  face;  however,  exploits,  particularly  zero-day  exploits,  can  be 
valuable  intelligence  assets,  and  many  authorities  advise  against  revealing 
them  wantonly.18  On  the  other  hand,  these  exploits  are  more  numerous  than 
many  people  realize;  for  example,  between  January  and  May  of  2012,  Microsoft 
announced— and  released  patches  for— 3 1  serious  vulnerabilities  in  the 
Windows  7  operating  system  and  its  common  applications  (i.e.  the  Microsoft 
Office  suite).19 

Alternatively,  there  are  attacks  where  mass  is  better  understood  as  the  number 
of  networks  targeted  by  an  attack  or  series  of  attacks.  The  author’s  previous 
work  discusses  attacks  that  can  cut  local  networks  off  from  centralized  control 
or  response20;  in  these  types  of  attacks  the  number  of  geographic  locations  or 
local  networks  attacked  may  be  more  meaningful  than  the  manpower  used  to 
create  the  attacks  or  the  variety  of  attacks  used.  This  applies  primarily  to 
Denial  of  Service  (DoS)  and  DDoS  attacks21,  or  to  highly  centralized  network 
defenses-  if  there  are  skilled  network  defenders  at  each  location,  they  should  be 
able  to  clear  up  simple  attacks  relatively  easily  (particularly  DDoS  attacks), 
whereas  a  more  centralized  approach  to  network  defense  may  lead  to  defenders 
being  cut  off  from  the  networks  underneath  them,  or  to  defenders  being  spread 
too  thin  to  react  in  all  locations  simultaneously. 

Conversely,  in  these  types  of  attack  manpower  can  be  the  critical  element  of 
mass  for  the  defenders;  unlike  highly  targeted  attacks,  these  types  of  DoS 
attacks  can  be  highly  asymmetric.  Although  they  are  subject  to  the  arms  race 
between  attackers  and  defenders,  as  filters,  scans,  and  network  tools  race  to 
catch  up  to  hacking  techniques,  these  DoS  attacks  can  be  launched  by  fairly 
small  teams,  and  can  require  large  numbers  of  defenders  to  patch  and  clean 
each  local  network  under  attack. 

The  relevant  measure  of  combat  power  in  cyberspace  varies  depending  on  the 
types  of  attacks  in  play  and  networks  needing  defense;  while  knowledgeable 
technicians  and  operators  are  always  important22,  the  appropriate  balance 
between  quality  and  quantity  depends  on  the  attacks  and  tools  a  military 
anticipates  using  and  facing.  Given  the  budgetary  limits  all  militaries  face,  and 
the  wide  range  of  possible  cyber  attacks,  these  are  trade-offs  that  all  militaries 
must  make.  If  the  primary  threat  is  from  stealthy  attacks  similar  to  Stuxnet, 
intended  to  covertly  corrupt  data  or  invisibly  damage  specific  facilities,  then 
network  defenders  need  to  be  very  highly  trained,  especially  in  forensic 
techniques.  However,  they  may  not  need  to  be  much  more  numerous  than  their 
attackers,  and  network  defenses  can  often  afford  to  catch  attacks  after  the 


attack  has,  at  least  partially,  succeeded,  since  the  attacks  will  often  spread 
slowly  and  inflict  damage  slowly  in  order  to  avoid  detection.  If  the  primary 
threat  is  instead  attacks  designed  to  quickly  take  down  or  isolate  critical 
systems,  network  defenders  will  need  to  be  much  more  numerous,  and  their 
skills  should  focus  on  countering  overt  attacks,  and  rebuilding  the  systems  an 
attacker  does  successfully  take  down.  To  acquire  enough  knowledge  about 
potential  adversaries  to  know  which  case  applies  typically  requires  a  significant 
investment  in  cyber-focused  intelligence  personnel;  more  such  personnel  will 
be  needed  to  enable  successful  attacks  in  response.23  It  is  possible  for  both 
types  of  attacks  to  be  launched  simultaneously,  but  in  most  cases  if  these 
attacks  are  hitting  the  same  networks  and  systems  they  will  interfere  with  each 
other  (often  resulting  in  the  attacker  losing  control  of  the  more  precise  highly- 
targeted  attacks);  what  is  more  likely  is  for  overt  DoS  or  DDoS  attacks  to  target 
one  area  while  a  different  system  or  network  is  attacked  more  carefully  and 
covertly,  away  from  the  obvious  attack.  Of  course,  in  any  conflict  today 
coordinating  and  deconflicting  cyber  attacks— both  from  each  other  and  from 
nearby  kinetic  attacks— is  a  critical  planning  effort.24 

A  look  at  airpower  history  may  help  clarify  these  different  approaches-  in  some 
ways,  cyber  attackers  face  a  similar  problem  to  the  one  faced  by  the  USAAF 
and  RAF  in  their  bombing  campaigns  against  Germany’s  industrial  system  in 
WWII.  Highly  targeted  (Stuxnet-style)  attacks— taking  down  a  handful  of 
isolated  high-value  targets  with  one-time  uniquely-crafted  attacks,  often  slowly 
and  covertly— can  be  thought  of  as  similar  to  the  WWII  US  approach  to  strategic 
bombing.  In  this  approach,  the  attacker  finds  a  handful  of  critical  nodes  and 
spends  large  amounts  of  manpower,  time,  and  combat  power  to  bring  those 
systems  down25,  confident  that  the  enemy  will  be  unable  to  function  without 
those  critical  nodes.  In  contrast,  the  various  forms  of  DoS  attacks  can  be 
thought  of  as  similar  to  the  British  approach  to  targeting-  rather  than  directly 
attacking  specific,  often  highly  defended,  critical  systems,  the  attacker 
attempts  to  take  down  some  aspect  of  the  local  or  regional  network  the  critical 
systems  rely  on.  The  WWII  RAF  approach  to  targeting  was  initially  based  on 
targeting  key  factories,  but  after  initial  failures,  and  high  losses,  the  RAF 
switched  to  simply  bombing  major  industrial  cities,  targeting  the  entire 
industrial  ecosystem  rather  than  a  series  of  discrete  “key  nodes”.  The  USAAF, 
despite  a  similar  disappointing  start,  targeted  what  it  considered  vital  nodes— 
primarily  aircraft  production,  fuel,  transportation,  and  ball  bearings— from 
1943-1945,  attempting  to  crash  the  German  industrial  system  by  destroying  or 
disabling  a  handful  of  key  nodes,  such  as  the  ball-bearing  factory  at 
Schweinfurt  and  the  refinery  at  Ploesti26.  Of  course,  in  execution,  the  USAAF 


approach  and  the  RAF  approach  were  not  always  quite  so  different.  USAAF  B- 
17s  and  B-24s  were  often  incapable  of  placing  their  bombs  on  target  with 
weather  and  German  defenses  interfering,27  but  the  two  targeting  approaches 
bear  similarities  to  the  cyber  equivalents  discussed  above.  Of  course,  PCs  and 
switches  on  a  military  network  are  less  controversial  targets  than  the  populace 
of  industrial  cities,  but  many  DoS  attacks  are  less  precise  and  more  likely  to 
spill  over  and  have  unintended  consequences  in  civilian  cyberspace.  It  is 
important  to  note  that,  depending  on  the  situation,  both  types  of  attacks  can 
be  highly  effective-  Stuxnet  is  an  obvious  example  of  a  highly  targeted  attack; 
the  2007  DDoS  attacks  on  Estonia  provide  an  example  of  one  DDoS  attack  that 
had  significant  impacts28,  while  DoS  attacks  alleged  to  have  been  coordinated 
by  Russia  damaged  Georgia’s  ability  to  respond  to  Russian  armor  advances  in 
200829. 

Consequently,  while  taking  a  single  reactor  down  is  extremely  difficult  and 
typically  requires  carefully  crafting  a  brand-new  attack,  disrupting  C2  or 
logistics  across  a  military  is  often  practical  using  “off-the-shelf’  hacking  tools  to 
put  together  a  relatively  crude  attack.  Unlike  in  most  other  domains,  in 
cyberspace  a  larger,  more-distributed  target  is  much  easier  to  attack  and 
cripple.  Recent  discussions  of  cyber  war  have  often  mistaken  espionage  for 
war,  and  as  a  result  some  commentators  have  assumed  that  exploits  are  more 
valuable  than  they  would  be  in  wartime,  that  stealth  is  more  necessary  than  it 
would  be  in  wartime,  and  that  large  military  or  infrastructure  networks  possess 
the  same  defenses  that  small  intelligence  or  nuclear  systems  often  have30. 

These  misunderstandings  distort  the  nature  of  mass  in  cyber  war,  and  they 
can  lead  to  major  mistakes  in  organizing  cyber  war  units  or  creating  network 
defenses.  While  cyber  espionage— to  include  covert  cyber  attacks  in  peacetime- 
will  tend  to  involve  stealthy,  highly  targeted  attacks,  cyber  attacks  in  open  war 
can  span  all  the  different  forms  of  mass  and  combat  power  discussed  above. 
Diplomatic  and  political  constraints  may  vary  from  a  “cyber-only”  conflict  to  a 
traditional  “kinetic”  war  that  includes  cyber  attacks,  but  both  are  likely  to 
include  more  overt  attacks  that  sacrifice  stealth  to  strike  harder  and  faster, 
enabling  widespread  attacks  with  limited  resources. 

Mass  matters  in  cyber  war,  but  its  meaning  varies  depending  on  the  nature  of 
the  attack  and  the  target.  While  the  tactical  level  may  not  always  be  impacted 
too  severely,  particularly  in  non-US  militaries  and/or  ground  forces,  where 
networks  may  be  less  heavily  used,  at  the  operational  level  modern  militaries 
rely  heavily  on  their  networks  for  logistics  and  situational  awareness.  These 
networks  are  “centers  of  gravity”,  and  if  they  can  be  disrupted  it  can 


significantly  reduce  the  effectiveness  of  the  forces  that  depend  on  them.  While 
highly  targeted  attacks  can  be  devastatingly  effective,  there  are  also  DoS 
alternatives  that  can  be  crippling  when  targeted  and  executed  correctly.  The 
correct  definitions  of  mass  and  combat  power  in  cyber  war  are  fluid,  like 
cyberspace  itself,  and  militaries  that  restrict  themselves  to  one  facet  of  it  risk 
defeat  when  an  adversary  attacks  in  ways  that  do  not  match  their  doctrine  and 
organization. 
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